At the Security of Things Forum in Washington on Thursday, experts warned about vulnerabilities built into internet-connected devices. Joshua Corman (r.), director of the Cyber Statecraft Initiative at the Atlantic Council's Brent Scowcroft Center, spoke with Charley Snyder (c.) from the Department of Defense and Suzanne Schwartz from the Food and Drug Administration.

Flaws in connected cameras, recorders broader than bad passwords

After last week's cyberattack leveraged insecure internet-connected devices to wage a denial of service attack, many experts urged consumers to change passwords. But that alone won't solve the problem.

October 28, 2016
—Cybercriminals last week amassed a powerful online weapon from compromised internet-linked cameras and video recorders prompting warnings to consumers to change default passwords on their gadgets.

But weak passwords aren't the only security issues that come along with the fast-growing Internet of Things (IoT) marketplace, experts warn. A host of problems – from how devices connect to the internet to how they are manufactured – are leading to increasing worries over how attackers could take advantage of insecurities in connected devices.

The warnings about connected devices follow a recent assault on Dyn, a company that provides a core piece of internet infrastructure, that relied on software called Mirai to take over and control vulnerable internet-connected devices.

Follow Passcode!

Cybersecurity news and analysis delivered straight to your inbox.

According to analysis by the security firm Imperva, Mirai spreads by performing wide-ranging scans of internet addresses to locate under-secured IoT devices that can be remotely accessed. Once it finds these devices, Mirai is programmed to guess at usernames and passwords to try to gain access to them – a so called "brute force" attack.

Many of the devices compromised in the Dyn attack came from a single Chinese supplier, XiongMai Technology. Xiongmai's hardware and software reside in many brands of closed-circuit cameras, digital video recorders, and other devices and contain a hidden, administrative account that could not be changed by users.

"These devices have tons of issues," says Billy Rios, the founder of the security firm Whitescope and a recognized expert on the security of embedded systems. "The reason that Mirai just exploited weak passwords as that it was all it needed to do. Why put more effort into it than you need to?"

A bigger problem than the default password, says Mr. Rios, is the shoddy manner in which internet-connected objects like cameras are deployed, allowing even nontechnical criminals and mischief makers to locate them with a simple online search.

Even without malicious software to speed the process along, finding insecure IoT devices is as easy as running an internet search. Search engines like Shodan have long allowed the curious to search for internet-connected machines in the same way that web surfers use Google to search for web pages. On any given day, a search for common IP-enabled cameras like this turn up tens of thousands of devices that can be accessed directly from the internet.

In many cases, that's because the third-party firms that install and manage them on behalf of businesses, local governments, or even consumers want easy, remote access to them, Rios says. "Truck rolls – having to go out in person to service a device – are expensive," he says. Allowing the cameras to be reachable from the public Internet makes it very easy to deploy and maintain or manage them remotely.

The Chinese supplier, XiongMai, has promised a recall of 10,000 affected cameras. But it is unclear how that will be carried out.

Speaking Thursday at The Security of Things Forum in Washington, an event hosted by Passcode and The Security Ledger, security experts said there were few incentives to encourage IoT device makers to improve their practices.

"In the Internet of Things space, the consumer of the device doesn't care, and we haven't yet built in an incentive for either the manufacturer or the consumer to pay for security," said Anup Ghosh of the firm Invincea. "Besides, most of these devices are made in China, so how do you regulate that?"

Experts noted that it doesn't have to be this way. Home gaming consoles such as Sony's PlayStation and Microsoft XBox are many times more powerful than cameras and also connect to the internet, for instance. They're also among the best engineered and most secure devices around and meet a very high standard for rigor both in their design and deployment, notes Rios.

For now, however, the attacks of recent weeks have forced a reconsideration of the question of how to secure a fast growing IoT space, said Joshua Corman, director of the Cyber Statecraft Initiative at the Atlantic Council's Brent Scowcroft Center, in a briefing with reporters on Monday. Mr. Corman also spoke at Thursday's Security of Things Forum.

The public and private sectors may be forced to embrace controversial ideas – from safety labels on connected product to strict software liability laws to hold publishers accountable for their wares. Otherwise, more extreme proposals may gain traction, such as destroying devices that are participating in large scale attacks like those of recent weeks or using selective filtering to block those devices' access to the internet, Mr. Corman warned.

Likening the population of low cost, insecure devices to a mosquitoes-infested swamp, Corman said big changes may be in the offing. "If we want to drain the swamp, we’re going to have to look at what the future is for these endpoints that are less valuable."

Editor's note: This story was updated after publication to clarify comments from Joshua Corman, director of the Cyber Statecraft Initiative at the Atlantic Council's Brent Scowcroft Center, referring to more extreme measures to safeguard connected devices.